Hi everyone,
I'm trying to allow a user to change the passwords of users in a specific subtree.
For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled?
Regards, Grifith
no idea ?
----- Mail d'origine ----- De: Smaïne Kahlouch smainklh@free.fr À: openldap-technical@openldap.org Envoyé: Sun, 31 Jan 2010 12:55:33 +0100 (CET) Objet: ppolicy : managing passwords by another user than root
Hi everyone,
I'm trying to allow a user to change the passwords of users in a specific subtree.
For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled?
Regards, Grifith
Could somebody help me please ? I'm asking a last time then i would have to use my root account within my php code :/ (no secure at all)
Regards, Grifith
-------- Message initial -------- De: smainklh@free.fr À: openldap-technical@openldap.org Sujet: Re: ppolicy : managing passwords by another user than root Date: Mon, 1 Feb 2010 13:34:58 +0100 (CET)
no idea ?
----- Mail d'origine ----- De: Smaïne Kahlouch smainklh@free.fr À: openldap-technical@openldap.org Envoyé: Sun, 31 Jan 2010 12:55:33 +0100 (CET) Objet: ppolicy : managing passwords by another user than root
Hi everyone,
I'm trying to allow a user to change the passwords of users in a specific subtree.
For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled?
Regards, Grifith
Smaïne Kahlouch wrote:
Could somebody help me please ? I'm asking a last time then i would have to use my root account within my php code :/ (no secure at all)
You did not provide any relevant details about your setup, entry data and exact error messages. So chance is very high that your posting is simply ignored.
I'd recommend to start slapd with debug logging enabled (e.g. with -d at the command-line) and analyze the logs.
Ciao, Michael.
On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote:
Could somebody help me please ?
With what?
I'm asking a last time then i would have to use my root account within my php code :/ (no secure at all)
Assuming your message is relevant to the subject of this thread, php is a dead end, as it has no password policy control. I have some perl scripts to manage password-policy changes.
Regards, Buchan
On Monday, 1 February 2010 13:34:58 smainklh@free.fr wrote:
no idea ?
----- Mail d'origine ----- De: Smaïne Kahlouch smainklh@free.fr À: openldap-technical@openldap.org Envoyé: Sun, 31 Jan 2010 12:55:33 +0100 (CET) Objet: ppolicy : managing passwords by another user than root
Hi everyone,
I'm trying to allow a user to change the passwords of users in a specific subtree.
For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled?
As documented in slapo-ppoliccy(5) some attributes (those with: NO-USER- MODIFICATION and USAGE directoryOperation) can not be set by normal users. For example, only the rootdn is currently able to unlock an account that is locked out.
However, subject to appropriate ACLs, non-rootdn DNs should be able to update other attributes related to password changes. You may want to enable acl debugging to see which attributes are getting attempted changes rejected.
Regards, Buchan
On Sun, Jan 31, 2010 at 12:55:33PM +0100, Smaïne Kahlouch wrote:
I'm trying to allow a user to change the passwords of users in a specific subtree.
I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled?
It should be possible, but as Michael says, you have not provided enough information. You should post the full set of ACLs and enough of the DIT so that people can understand what you are doing. You should also post the exact commands you use for testing, and the output from them.
You will find examples of how to delegate control to specific users in my paper "Writing Access Control Policies for LDAP":
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Buchan Milne -
Michael Ströder -
smainklh@free.fr -
Smaïne Kahlouch